- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
Junos OS supports two different styles of configuration for switch interfaces: service provider style and enterprise style. The service provider style requires more configuration but provides greater flexibility. The enterprise style is easier to configure but offers less functionality.
With the enterprise style of configuration, logical interfaces are placed into Layer 2 mode by specifying ethernet-switching as the interface family. The ethernet-switching option can only be configured on a single logical unit, unit 0. You cannot bind a VLAN ID to unit 0, because these interfaces operate either in trunk mode, which supports traffic with various VLAN tags, or in access mode, which supports untagged traffic.
Some switching features, such as Q-in-Q tunneling, cannot be configured on logical interface unit 0. Q-in-Q tunneling requires the logical interface to transmit VLAN-tagged frames. To enable a logical interface to receive and forward VLAN-tagged Ethernet frames, you must bind the logical interface to that VLAN. Because the enterprise style does not allow binding of a VLAN ID to unit 0, you must use the service provider style to configure Q-in-Q tunneling.
To support DHCP security along with Q-in-Q tunneling, you can configure the following DHCP security features using the service provider style:
- DHCP snooping (DHCPv4 and DHCPv6)
- Dynamic ARP inspection
- Neighbor discovery inspection
- DHCP option 82
- DHCPv6 option 18 and option 37
- Lightweight DHCPv6 relay agent
You can combine the service provider and enterprise styles of configuration on the same physical interface using flexible Ethernet services encapsulation. With flexible Ethernet services encapsulation, you can configure encapsulations at the logical interface level instead of at the physical interface level. Defining multiple per-unit Ethernet encapsulations makes it easier to customize Ethernet-based services to multiple hosts connected to the same physical interface. For more information, see Flexible Ethernet Services Encapsulation .
EX4300 switches do not support configuration of service provider style and enterprise style on the same physical interface.
Example: DHCP Security and Q-in-Q Tunneling with Service Provider Style Configuration
When configuring a physical interface to support only the service provider style,
configure the extended-vlan-bridge encapsulation type to
support bridging features. You must also configure native VLAN tagging on the
physical interface so that it can operate in trunk mode and transmit Ethernet
frames with VLAN tags for multiple VLANs. Configure flexible VLAN tagging on the
interface to transmit packets with 802.1Q VLAN single-tagged and dual-tagged
frames.
The following example configuration encapsulates physical interface ge-0/0/11 for service provider configuration and defines logical unit 111. VLAN ID v111 is bound to unit 111, and Q-in-Q tunneling is configured on logical interface ge-0/0/11.111. The configuration enables DHCP snooping, dynamic ARP inspection, and DHCP option 82 on VLAN v111.
set interfaces ge-0/0/11 flexible-vlan-tagging set interfaces ge-0/0/11 native-vlan-id 112 set interfaces ge-0/0/11 encapsulation extended-vlan-bridge set interfaces ge-0/0/11 input-native-vlan-push enable set interfaces ge-0/0/11 unit 111 vlan-id-list 111-112 set interfaces ge-0/0/11 unit 111 input-vlan-map push set interfaces ge-0/0/11 unit 111 output-vlan-map pop set vlans V111 interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security group TRUSTED overrides trusted set vlans V111 forwarding-options dhcp-security group TRUSTED interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security arp-inspection set vlans V111 forwarding-options dhcp-security option-82 remote-id use-interface-description logical
Example: DHCP Security and Q-in-Q Tunneling with Flexible Ethernet Services Encapsulation
The flexible Ethernet services encapsulation type enables a physical interface to
support both styles of configuration. To support the service provider style,
flexible Ethernet services allows for encapsulations to be configured at the
logical interface level instead of the physical interface. To support the
enterprise style, flexible Ethernet services allows the
ethernet-switching family to be configured on any logical
interface unit number.
The following example configuration encapsulates physical interface ge-0/0/11
with flexible-ethernet-services to support service provider and
enterprise style configurations. Two logical units are defined on the physical
interface: unit 111 for service provider style, and unit 0 for enterprise style.
The vlan-bridge encapsulation enables bridging features on unit
111, and the ethernet-switching family enables bridging
features on unit 0. Q-in-Q tunneling is configured on logical interface
ge-0/0/11.111.
VLAN v111 is bound to unit 111 and has the following DHCP security features:
- DHCP snooping with option 82 and trusted override
- Dynamic ARP inspection
VLAN EP_v222 is bound to unit 0 and has the following DHCP security features:
- DHCP snooping with option 82
- Dynamic ARP inspection
- Neighbor discovery inspection
Interfaces with service provider style configuration are untrusted by default for DHCP. On interfaces with enterprise style configuration, access interfaces are untrusted and trunk interfaces are trusted.
set interfaces ge-0/0/11 flexible-vlan-tagging set interfaces ge-0/0/11 native-vlan-id 112 set interfaces ge-0/0/11 encapsulation flexible-ethernet-services set interfaces ge-0/0/11 input-native-vlan-push enable set interfaces ge-0/0/11 unit 111 encapsulation vlan-bridge set interfaces ge-0/0/11 unit 111 vlan-id-list 111-112 set interfaces ge-0/0/11 unit 111 input-vlan-map push set interfaces ge-0/0/11 unit 111 output-vlan-map pop set interfaces ge-0/0/11 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members EP_V222 set vlans V111 interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security group TRUSTED overrides trusted set vlans V111 forwarding-options dhcp-security group TRUSTED interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security arp-inspection set vlans V111 forwarding-options dhcp-security option-82 remote-id use-interface-description logical set vlans EP_V222 vlan-id 222 set vlans EP_V222 forwarding-options dhcp-security arp-inspection set vlans EP_V222 forwarding-options dhcp-security neighbor-discovery-inspection set vlans EP_V222 forwarding-options dhcp-security option-82 remote-id use-interface-description logical
Example: DHCP Security and Q-in-Q Tunneling with Support for Swap-Push/Pop-Swap
Q-in-Q tunneling and VLAN translation allow service providers to create an L2 Ethernet connection between two customer sites. Providers can segregate different customers’ VLAN traffic on a link.
Q-in-Q tunneling with L2 swap-push/pop-swap support is a specific scenario in
which the customer VLAN (C-VLAN) tag is swapped with the
inner-vlan-id tag, and the service-provider-defined service
VLAN (S-VLAN) tag is pushed on it (for traffic flowing from customer to service
provider site). This traffic is sent to the service provider network
double-tagged (S-VLAN + C-VLAN). For the traffic flowing from the service
provider network to the customer network, the S-VLAN tag is removed, and the
C-VLAN tag is replaced with the VLAN ID configured on the UNI logical
interface.
The following example shows the swap-push/pop-swap dual tag operations.
- Swap-push—For incoming-single tagged frame from UNI, the C-VLAN (VLAN ID 100) swaps with configured inner-VLAN ID (200) on logical interface and the S-VLAN (VLAN ID 900) pushes on to the frame. The double-tagged frame egresses out of NNI.
- Pop-swap—For incoming double-tagged frame from NNI, the S-VLAN tag pops (VLAN ID 900) from the frame and the logical interface's VLAN ID 100 replaces the C-VLAN tag. The single-tagged frame egresses out of UNI.
To support DHCP security along with Q-in-Q tunneling, you can configure the following DHCP security features:
- DHCP snooping (DHCPv4 and DHCPv6)
- Dynamic ARP inspection
- DHCPv6 source-guard
- Neighbor discovery inspection
- DHCP option 82
- DHCPv6 option 37
set interfaces ge-0/0/1 description UNI set interfaces ge-0/0/1 flexible-vlan-tagging set interfaces ge-0/0/1 encapsulation flexible-ethernet-services set interfaces ge-0/0/1 unit 100 encapsulation vlan-bridge set interfaces ge-0/0/1 unit 100 vlan-id 100 set interfaces ge-0/0/1 unit 100 input-vlan-map swap-push set interfaces ge-0/0/1 unit 100 input-vlan-map vlan-id 900 set interfaces ge-0/0/1 unit 100 input-vlan-map inner-vlan-id 200 set interfaces ge-0/0/1 unit 100 output-vlan-map pop-swap set interfaces ge-0/0/2 description NNI set interfaces ge-0/0/2 flexible-vlan-tagging set interfaces ge-0/0/2 encapsulation flexible-ethernet-services set interfaces ge-0/0/2 unit 900 encapsulation vlan-bridge set interfaces ge-0/0/2 unit 900 vlan-id 900 set vlans vlan-900 interface ge-0/0/1.100 set vlans vlan-900 interface ge-0/0/2.900 set vlans vlan-900 forwarding-options dhcp-security arp-inspection set vlans vlan-900 forwarding-options dhcp-security ip-source-guard set vlans vlan-900 forwarding-options dhcp-security neighbor-discovery-inspection set vlans vlan-900 forwarding-options dhcp-security ipv6-source-guard set vlans vlan-900 forwarding-options dhcp-security group trusted overrides trusted set vlans vlan-900 forwarding-options dhcp-security group trusted overrides no-option82 set vlans vlan-900 forwarding-options dhcp-security group trusted overrides no-dhcpv6-options set vlans vlan-900 forwarding-options dhcp-security group trusted interface ge-0/0/2.900
If you configure the logical interface with a VLAN ID list and the input-vlan-map and output-vlan-map is configured as swap-push/pop-swap, it results in undesired behavior as the traffic regressing out of the UNI has a logical unit number instead of the original customer VLAN ID from VLAN ID list configured.
